Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Adware.Trymedia.B.2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Shaenaus » August 24th, 2006, 11:57 pm

Gday Navigator,

Here are the logs:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:35:56 PM 25/08/2006

+ Scan result:



C:\WINDOWS\Temp\tmp58 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp59 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp5a -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp5b -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp5d -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp5f -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp60 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp61 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp63 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp64 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp65 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp67 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp68 -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\tmp69 -> Adware.Trymedia : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.113:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Christian\Cookies\christian@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Christian\Cookies\christian@microsoftoffice.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.63:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.64:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Christian\Cookies\christian@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.68:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
:mozilla.69:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Christian\Cookies\christian@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.138:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\bbowwcxs.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Christian\Application Data\Mozilla\Firefox\Profiles\kvnohxqo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end


Here is the BlackLight log:

08/25/06 13:44:04 [Info]: BlackLight Engine 1.0.46 initialized
08/25/06 13:44:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/25/06 13:44:05 [Note]: 7019 4
08/25/06 13:44:05 [Note]: 7005 0
08/25/06 13:44:12 [Note]: 7006 0
08/25/06 13:44:12 [Note]: 7011 1792
08/25/06 13:44:12 [Note]: 7026 0
08/25/06 13:44:12 [Note]: 7026 0
08/25/06 13:44:25 [Note]: FSRAW library version 1.7.1019
08/25/06 13:46:04 [Note]: 4013 27688
08/25/06 13:46:04 [Note]: 4020 38209 65536
08/25/06 13:46:04 [Note]: 4020 38209 65536
08/25/06 13:46:04 [Note]: 4018 38209 65536
08/25/06 13:46:04 [Note]: 4013 27688
08/25/06 13:46:04 [Note]: 4020 38209 65536
08/25/06 13:46:04 [Note]: 4018 38209 65536
08/25/06 13:50:04 [Note]: 2000 1006
08/25/06 13:50:51 [Note]: 7007 0
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm
Advertisement
Register to Remove

Unread postby Navigator » August 25th, 2006, 12:55 pm

G'day to you too shane...

I do not see anything in the blacklight scan (which is good)...are you still having the problems with the pop-ups now that we've emptied the temp folders and ran Ewido?

Let me know..if you are, there are a few more things we can try to do to see what's keeping this alive... :shock:
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 28th, 2006, 8:16 pm

Well, I thought the problem had been solved and I was about to post the good news here but then I did one last check of my son's account and BitDefender reported Adware again!

It appears that the "Administrator" account is clean and 4 of the 5 user accounts are also clean. There is just the one account which still appears to be infected.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 28th, 2006, 8:20 pm

Hey shane....

Have you posted for me a HJT log FROM your son's account? Log into his account and run HJT from there...

If not, go ahead and do that for me to look at.....
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 28th, 2006, 11:04 pm

I logged into my son's account and did a scan with HJT.

Logfile of HijackThis v1.99.1
Scan saved at 1:00:12 PM, on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Alias\Maya6.5\docs\wrapper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Nero\Nero 7\InCD\InCD.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5073631704
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Maya 6.5 Documentation Server (maya65docserver) - Unknown owner - C:\Program Files\Alias\Maya6.5\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya6.5\docs\Wrapper.conf (file missing)
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 28th, 2006, 11:20 pm

OK shane....there's not anything in there that I see either...

Stay in your son's account (but it probably won't matter where you run it from) and do this:

1. Download this file from either of the two listed locations:

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

This tool has a few functions to check for 'bad' files installed in the past few months and to look at certain registry keys that may clue me in to what is keeping this thing alive...

Thanks for YOUR patience, shane...let's keep looking!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » August 29th, 2006, 3:26 am

The problem seems to occur when running a Webroot Spy Sweeper scan. During the scan, a window pops up on top of the Webroot window stating that BitDefender has detected the Adware.Trymedia.B.2

Here is the ComboFix log:

Jeremy - 06-08-29 17:08:03.16
ComboFix 06.08.27BT - Running from: C:\Documents and Settings\Jeremy\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-29 to 2006-08-29 ))))))))))))))))))))))))))))))))))


2006-08-29 17:07 358 --a------ C:\Combo.bat
2006-08-05 17:44 117,760 --------- C:\WINDOWS\system32\xmllite.dll
2006-08-04 22:51 111,104 --a------ C:\WINDOWS\system32\uharc.exe
2006-07-29 19:32 48,936 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-29 17:07 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-29 13:00 -------- d-------- C:\Program Files\HijackThis
2006-08-29 12:48 -------- d-------- C:\Program Files\Moon Tycoon DEMO
2006-08-28 20:25 -------- d-------- C:\Program Files\Google
2006-08-28 18:58 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-26 12:38 -------- d-------- C:\Program Files\Moon Tycoon
2006-08-26 12:38 -------- d-------- C:\Program Files\Minegame
2006-08-26 12:38 -------- d-------- C:\Program Files\Messenger
2006-08-26 12:38 -------- d-------- C:\Program Files\Meegos Creator
2006-08-26 12:38 -------- d-------- C:\Program Files\MagicISO
2006-08-26 12:38 -------- d-------- C:\Program Files\LimeWire
2006-08-26 12:38 -------- d-------- C:\Program Files\Free Download Manager
2006-08-24 18:31 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-24 18:30 -------- d-------- C:\Program Files\MSN Messenger
2006-08-21 21:25 -------- d-------- C:\Program Files\Windows Desktop Search
2006-08-12 01:53 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-08-11 07:05 -------- d-------- C:\Program Files\Internet Explorer
2006-08-10 16:39 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-08 21:00 -------- d-------- C:\Program Files\MIKSOFT
2006-08-08 20:40 -------- d-------- C:\Program Files\Common Files\Real
2006-08-08 20:40 -------- d-------- C:\Program Files\Common Files
2006-08-08 19:22 -------- d-------- C:\Documents and Settings\Jeremy\Application Data\Real
2006-08-08 18:17 -------- d-------- C:\Program Files\Real
2006-08-06 16:35 -------- d-------- C:\Program Files\LameFE
2006-08-05 15:59 -------- d-------- C:\Program Files\MSN
2006-08-03 19:33 15360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-08-03 19:33 14848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-08-03 19:33 13824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-08-03 19:33 117248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-08-01 21:04 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-08-01 20:20 -------- d-------- C:\Program Files\a-squared Anti-Malware
2006-08-01 16:08 -------- d-------- C:\Program Files\TrojanHunter 4.5
2006-07-30 18:51 -------- d-------- C:\Program Files\etax2006
2006-07-30 12:51 -------- d-------- C:\Program Files\Audacity 1.3 Beta
2006-07-28 13:08 -------- d-------- C:\Program Files\CleanUp!
2006-07-28 12:20 -------- d-------- C:\Program Files\DTV
2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 19:32 -------- d-------- C:\Program Files\Adobe
2006-07-17 19:29 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-17 18:42 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-07-17 17:46 -------- d-------- C:\Program Files\stock photography
2006-07-17 17:46 -------- d-------- C:\Program Files\help center
2006-07-17 17:46 -------- d-------- C:\Program Files\extendscript toolkit
2006-07-17 17:46 -------- d-------- C:\Program Files\directx
2006-07-17 17:46 -------- d-------- C:\Program Files\commonfilesinstaller
2006-07-17 17:46 -------- d-------- C:\Program Files\bridge
2006-07-17 17:34 -------- d-------- C:\Program Files\PowerISO
2006-07-16 21:34 -------- d-------- C:\Program Files\Alias
2006-07-16 17:25 -------- d-------- C:\Program Files\Common Files\Alias Shared
2006-07-16 07:40 -------- d---s---- C:\Documents and Settings\Jeremy\Application Data\Microsoft
2006-07-14 17:32 -------- d-------- C:\Documents and Settings\Jeremy\Application Data\MSN6
2006-07-13 08:33 -------- d-------- C:\Program Files\Restaurant Empire
2006-07-13 08:19 -------- d-------- C:\Program Files\Fusion Games
2006-07-13 08:16 -------- d-------- C:\Program Files\Ant War
2006-07-12 21:36 -------- d-------- C:\Program Files\Microsoft Office
2006-07-12 21:07 -------- d-------- C:\Program Files\MSBuild
2006-07-12 21:04 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-12 21:04 -------- d-------- C:\Program Files\Microsoft Works
2006-07-12 21:02 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-07-12 20:42 -------- d-------- C:\Program Files\Common Files\Designer
2006-07-12 20:22 -------- d-------- C:\Program Files\Sibelius Software
2006-07-12 20:18 -------- d-------- C:\Program Files\Common Files\System
2006-07-12 16:59 -------- d-------- C:\Program Files\Common Files\DirectX
2006-07-12 16:01 -------- d-------- C:\Program Files\Trymedia
2006-07-11 18:47 -------- d-------- C:\Program Files\BitComet
2006-07-10 17:24 -------- d-------- C:\Program Files\Global Star Software
2006-07-09 16:37 405504 --a------ C:\WINDOWS\system32\srkey.exe
2006-07-09 16:37 -------- d-------- C:\Program Files\Small Rockets
2006-07-09 11:06 -------- d-------- C:\Documents and Settings\Jeremy\Application Data\PlayFirst
2006-07-09 09:18 -------- d-------- C:\Program Files\Insaniquarium! Deluxe
2006-07-01 15:15 -------- d-------- C:\Program Files\EA GAMES
2006-07-01 00:55 -------- d-------- C:\Program Files\Microsoft Games
2006-06-29 10:55 -------- d-------- C:\Documents and Settings\Jeremy\Application Data\Ahead
2006-06-25 17:01 374 --a------ C:\WINDOWS\system32\vfw_32.reg
2006-06-20 13:07 1452039 --a------ C:\WINDOWS\G Unit World screen saver.scr
2006-06-12 14:25 81920 --a------ C:\WINDOWS\system32\Dversion.dll
2006-06-12 14:25 122880 --a------ C:\WINDOWS\system32\DVC.dll
2006-06-03 16:57 2180224 --a------ C:\WINDOWS\system32\kernel1.exe
2006-05-12 01:49 460 --a------ C:\Program Files\INSTALL.LOG


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="\"C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe\""
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"BDMCon"="C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdmcon.exe"
"PWRISOVM.EXE"="\"C:\\Program Files\\PowerISO\\PWRISOVM.EXE\""
"BDNewsAgent"="\"C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdnagent.exe\""
"BDSwitchAgent"="\"C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdswitch.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.5\\THGuard.exe\""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveAutoRun"=dword:00000300

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Tue 29/08/2006 17:15:13.22
ComboFix.txt
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » August 29th, 2006, 9:50 pm

Hello shane....

Hmmm.

Googling trymedia malware produces lots of hits. Most of the threads I see related to this 'infection' seem to occur with the downloading of games via trymedia, like you....there is a bunch with infected temp file problems like yours. Most seem to be resolved when the game is deleted, temp files are cleaned and a scan that detects it is run, but it is often difficult.

I do see a C:\program Files\trymedia folder in the ComboFix log from your son's account that was created July 12th of this year, but i do not see any 'games' having been downloaded at the same or near that time. I do notice multiple P2P/file sharing apps installed to include Limewire and BitComet...if you can do without them, removing them via Add or Remove Programs will save you lots of malware headaches.

Let's proceed as follows from your son's account (I assume it still has administrator privileges):

1. Reveal Hidden Files

  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Check Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.


2. There is a file I'd like to get analyzed from your computer:

C:\WINDOWS\system32\kernel1.exe

Just to be safe, go to this site and have it scan it:

VirusTotal File Scan

Use the Browse button at VirusTotal, navigate to the file's location on your hard drive and submit it to them for analysis.

Let me know the results.

3. Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

4. Download Gmer:

  • Unzip it and double-click Gmer.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply

5. Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


Post back with the HJT uninstall list, the VirusTotal file scan results, The Gmer rootkit scan and the F_Secure Online scan results...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » September 1st, 2006, 1:18 am

GMER does the Rootkit scan up until C:\WINDOWS\* and then it freezes part way through scanning the various subfolders. The cursor changes to an hourglass and the window title displays GMER 1.0.10.10122 (Not Responding).
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » September 1st, 2006, 9:19 pm

OK, skip Gmer for now and do the rest of the instructions....I need to know what that file analysis is, see the uninstall list and the F-Secure scan results.

We'll probably use SpySweeper's rootkit scan later...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » September 2nd, 2006, 8:49 am

Gday Navigator,

Whilst I was doing the F-secure scan as you advised, BitDefender again popped up with a Spyware Alert re Adware.Trymedia.B.2

A while ago, I uninstalled the game demos that I thought might have been causing the problem. They were called something like "***Tycoon", where *** were different names e.g. MoonTyccon.

I noticed yesterday that there is still a folder in Program Files called Trymedia. However, it does not appear to have any executables in it.

Here are the various logs:

HJT uninstall list:



ACE Mega CoDecS Pack
Ad-Aware SE Personal
Adobe After Effects 7.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager 2.0 (Remove Only)
Adobe ExtendScript Toolkit 1.0
Adobe Help Center 2.0
Adobe Reader 7.0.8
Adobe Stock Photos 1.0
Alias DirectConnect 2.0
a-squared Anti-Malware 2.0
Audacity 1.3.0
AviSynth 2.5
Battlefield 1942
Battlefield 1942 Multiplayer Demo
Battlefield 1942: The Road To Rome
BitComet 0.70
BitDefender 9 Standard
BitTorrent 4.4.1
CleanUp!
Construction Destruction
DVB-T USB 2.0
DVD Decrypter (Remove Only)
Earth Perth Wallpaper
Empires Dawn of the Modern World
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
ESPRX430 Reference Guide
ESPRX430 Software Guide
e-tax 2006
ewido anti-spyware 4.0
Exact Audio Copy 0.95b4
Free Download Manager 2.0
Google Earth
Google Video Player
Halo Zero V1.8.6
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
igLoader 2,0,0,2
Insaniquarium! Deluxe (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
LimeWire Download Accelerator Pro 2.3
LimeWire Extreme 3.0
LimeWire PRO 4.10.0
Logitech iTouch Software
Logitech MouseWare 9.41 .1
Logitech User's Guide
LogonStudio
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic ISO Maker v5.3 (build 0199)
Maya 6.5
Maya 7.0 Personal Learning Edition
Meegos Creator
Messenger Plus! 3
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Combat Flight Simulator 3.0
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Office 2000 Professional
Microsoft Office Access MUI (English) 2007 (Beta)
Microsoft Office Excel MUI (English) 2007 (Beta)
Microsoft Office InfoPath MUI (English) 2007 (Beta)
Microsoft Office Outlook MUI (English) 2007 (Beta)
Microsoft Office PowerPoint 2003 Template Pack 1
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office PowerPoint MUI (English) 2007 (Beta)
Microsoft Office Professional 2007 (Beta)
Microsoft Office Professional Plus 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Publisher MUI (English) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Sounds
Microsoft Office Word MUI (English) 2007 (Beta)
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Windows Journal Viewer
Mobile Media Converter
Mozilla Firefox (1.5.0.5)
Need for Speedâ„¢ Most Wanted
Nero 7 Demo
Nero Suite
NVIDIA Windows 2000/XP Display Drivers
Office Animation Runtime
OpenOffice.org 2.0
PhotoImpression 5
PhotoNow! 1.0
PIF DESIGNER2.1
PowerDirector
PowerDVD
PowerISO
PSP Video 9 1.74
QuickTime
Rome - Total War(TM)
SAMSUNG Mobile USB Modem 1.0 Software
Samsung Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Serif PhotoPlus 6.0
SmartSound Quicktracks Plugin
Spy Sweeper
Spybot - Search & Destroy 1.4
Star Wars JK II Jedi Outcast
StyleBuilder (remove only)
StyleXP (remove only)
Tom Clancy's Rainbow Six 3: Raven Shield
TrojanHunter 4.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
VideoLAN VLC media player 0.8.5
Videora Trial Version 2.15
Volume 2 GUnit Massacre
WinAVIVideoConverter
Windows Defender
Windows Defender Signatures
Windows Desktop Search
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7 Beta 3
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xingtone Ringtone Maker
X-Plane 8.0

VirusTotal File Scan:

SERVER RESPONSE
________________________________________
Results of a file scan
This is a report processed by VirusTotal on 09/01/2006 at 05:47:01 (CET) after scanning the file "kernel1.exe" file.
Antivirus Version Update Result
AntiVir 6.35.1.11 08.31.2006 no virus found
Authentium 4.93.8 08.31.2006 no virus found
Avast 4.7.844.0 08.31.2006 no virus found
AVG 386 08.31.2006 no virus found
BitDefender 7.2 08.31.2006 no virus found
CAT-QuickHeal 8.00 08.31.2006 no virus found
ClamAV devel-20060426 08.31.2006 no virus found
DrWeb 4.33 08.31.2006 no virus found
eTrust-InoculateIT 23.72.112 09.01.2006 no virus found
eTrust-Vet 30.3.3052 08.31.2006 no virus found
Ewido 4.0 08.31.2006 no virus found
Fortinet 2.77.0.0 08.31.2006 no virus found
F-Prot 3.16f 08.31.2006 no virus found
F-Prot4 4.2.1.29 08.31.2006 no virus found
Ikarus 0.2.65.0 08.31.2006 no virus found
Kaspersky 4.0.2.24 09.01.2006 no virus found
McAfee 4842 08.31.2006 no virus found
Microsoft 1.1560 09.01.2006 no virus found
NOD32v2 1.1734 08.31.2006 no virus found
Norman 5.90.23 08.31.2006 no virus found
Panda 9.0.0.4 08.31.2006 no virus found
Sophos 4.09.0 09.01.2006 no virus found
Symantec 8.0 09.01.2006 no virus found
TheHacker 5.9.8.202 08.31.2006 no vir us found
UNA 1.83 09.01.2006 no virus found
VBA32 3.11.1 08.31.2006 no virus found
VirusBuster 4.3.7:9 08.31.2006 no virus found


F-secure Online scan:

Scanning Report
Saturday, September 02, 2006 20:36:06 - 22:28:36

Computer name: SMITH
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 0 malware found
Statistics
Scanned:

* Files: 39809
* System: 7009
* Not scanned: 142

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

x+

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-09-01
* F-Secure Libra: 2.4.1, 2006-09-01
* F-Secure Orion: 1.2.37, 2006-09-01
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Pegasus: 1.19.0, 2006-07-30
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

Thanks once again,
Shane.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » September 2nd, 2006, 4:41 pm

Hello shane....no problem. Man this is a pest!

There are so many things in that uninstall list that it may be hard to pin down the cause of this...there are multiple P2P/File sharing programs, downloaded Codecs, games, demos etc., but nothing that I see as malicious...

There is one game however, Construction Destruction, that I believe after researching comes from trymedia systems...is this the full paid version or the demo version? If it's the demo version, I'd uninstall it.

The kernel1.exe file looks 'clean'. We're not finding much in the scans that do work, but I have to wonder why some of the standard scans are not working (Panda, Gmer)?

When you run a BitDefender scan (your installed AV program) on your system, what does it find? If it finds the adware.trymedia.B2 does it give a location on your system?

I would do the following from your son's account:

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Save it to your desktop.

2. Reboot your computer to safe mode as we did previously. Log into your son's account.

3. Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\Program Files\trymedia


4. Still in safe mode, double-click ATF-Cleaner.exe to run the program.

    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

5. Reboot into Windows normally, log into your son's account and run a BitDefender and Spy Sweeper scan and see if the problems still exists. If the problem still exists, let's do an online scan with Kaspersky to see if it finds any files/references to trymedia:


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Shaenaus » September 4th, 2006, 8:40 pm

I uninstalled Construction Destruction as advised.

I then ran a BitDefender scan and it said that the computer was clean. I then checked the log of the scan and it said that there was a file with adware in it. The file was in my son's account and it was an executable.

I then did as advised with ATF Cleaner but in addition to deleting C:\Program Files\trymedia I also deleted the executable file.

After rebooting into Windows normally, I logged into my son's account and ran a BitDefender scan and also a Spy Sweeper scan and I am happy to say that it appears that, finally, my PC is clean!

Thanks so much for your patience and support. I really do appreciate it. Now to change eveyone's account back to a "Limited" account and hopefully this won't happen again.

By the way, BitDefender appears to have been configured such that it takes no action other than to report it when it intercepts a virus or malware. I am now trying to figure out how to get it to automatically quarantine a suspicious file. I have looked at all the options and, for the moment, I can't seem to find anything to click on to change it.

All the best,
Shane.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Shaenaus » September 4th, 2006, 9:35 pm

I have worked out how to change the settings on BitDefender.
Shaenaus
Regular Member
 
Posts: 26
Joined: July 31st, 2006, 8:20 pm

Unread postby Navigator » September 4th, 2006, 11:33 pm

Hello shane....That's GREAT! :D I'm glad to hear it's gone!

You are welcome!

Your HJT appears clean and I'm glad your system is running well with out problems! If anything comes up in the next few days that you need help with, feel free to post it here...I'll stay subscibed to the thread for a few days to make sure everything is OK.

You can remove/delete any of the programs I had you install to try and help with the cleaning process. If you like ATF Cleaner, you can keep it around...it's a handy temp file cleaner!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!

    Now let's reset your restore points.

    Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore

    Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.

    Next go to Start Menu >> Run, then type:

    cleanmgr


    click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection



Remember...be careful out there (or should I tell your son that? LOL...)!
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware